How to remove duplicate alerts.
962 views
Skip to first unread message
sekhar reddy
Jun 29, 2022, 8:51:43 PM6/29/22
to Wazuh mailing list
Hi Team,
In Wazuh, we have configured alerts to be sent to Microsoft teams. We are receiving security/vulnerability alerts, but I observed they are duplicates.
Could you let me know if duplicate alerts can be filtered/blocked,
Is there a way we can limit the number of alerts per day or block the alerts?
We have configured the rule level >=12
Regards,
A.Sekhar
Matias Pereyra
Jun 30, 2022, 10:29:59 AM6/30/22
to Wazuh mailing list
Hi!
What is your Wazuh version?
Since v4.3.0, vulnerability detector only will generate an alert if a new vulnerability has been detected or solved. See Alerts generation for more information.
But if you haven't upgraded yet, you can filter the alerts you are sending to Microsoft teams.
What is your Wazuh version?
Since v4.3.0, vulnerability detector only will generate an alert if a new vulnerability has been detected or solved. See Alerts generation for more information.
But if you haven't upgraded yet, you can filter the alerts you are sending to Microsoft teams.
Are you using an integration block? It has some filters, like <group> for example, to only receive an alert that belongs to a specific group list.
Also, the .py script could be modified to discard the alerts only from vulnerability detector group.
There is also an interesting blog post about this integration with a complete example: https://www.infopercept.com/sending-alerts-to-microsoft-teams-from-wazuh/
Regards.
Also, the .py script could be modified to discard the alerts only from vulnerability detector group.
There is also an interesting blog post about this integration with a complete example: https://www.infopercept.com/sending-alerts-to-microsoft-teams-from-wazuh/
Regards.
sekhar reddy
Jul 6, 2022, 11:12:28 AM7/6/22
to Matias Pereyra, Wazuh mailing list
Hi Matias,
I am using v4.2.5 I have already integrated alerts to teams. But I am getting the same alert for the same agent more than 50+ times in a minute.
Is there a way to integrate or discard those alerts or ignore them once the alert has already got generated?
EX:
WAZUH Alert
Shellshock attack detected
| Agent | (009) - xxxxx |
| Location | /var/log/nginx/access.log |
| Rule ID | 31169 (Level 15) |
| Log x.x.x.x | - - [06/Jul/2022:01:00:13 -0700] "GET /xampp/cgi.cgi HTTP/1.1" 200 778 "-" "() { ; } >[\((\)())] { echo Content-Type: text/plain ; echo ; echo \x22bash_cve_2014_6278 Output : $((91+8))\x22; }" "-" |
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/t-epCxHOtnk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1da44994-0c19-4379-bfdd-c22dc8832805n%40googlegroups.com.
Matias Pereyra
Jul 6, 2022, 6:47:49 PM7/6/22
to Wazuh mailing list
Hello again!
Sorry for the confusion, I understood that you had vulnerability detector alerts repeated.
Sorry for the confusion, I understood that you had vulnerability detector alerts repeated.
The rule 31169 you are receiving will be triggered every time Wazuh finds in /var/log/nginx/access.log a request that matches with the regular expression that the rule defined (you can see it in/var/ossec/ruleset/rules/0245-web_rules.xml).
This message means an attacker is trying to exploit the vulnerability CVE-2014-6278 in your host.
This message means an attacker is trying to exploit the vulnerability CVE-2014-6278 in your host.
First, make sure your system isn't vulnerable by applying the corresponding patches.
Then, you can follow the guide in Detect and react to a Shellshock attack to configure a proper active response that will block the attacker the next time.
You can contact us again if you have any problem configuring the Active Response.
You can contact us again if you have any problem configuring the Active Response.
Regards.
sekhar reddy
Jul 14, 2022, 2:52:46 AM7/14/22
to Wazuh mailing list
Hi Matis,
I have configured alerts to be sent to Microsoft Teams. There is a system that performs shellshock tests on particular agents and fires the rules 31169 and 31168 when the test is performed against those agents. I would like to ignore this particular alert or on specific agents when we get a "shellshock detected alert nearly 100 times a minute.
I have created a overwrite rule in local_rules.xml file but not sure if this works.
Basically, I am trying to match the IP(10.20.30.40/20.30.40.50) of my test machine which does the shellshock attack on the agents.
Do I have the option of setting the rule to skip this particular alert or a particular agent?
<rule id="31108" level="15" overwrite="yes">
<match>10.20.30.40</match>
<options>no_email_alert</options>
<options>no_log</options>
<description>Shellshock attack detected</description>
</rule>
<rule id="31108" level="15" overwrite="yes">
<match> 20.30.40.50 </match>
<options>no_email_alert</options>
<options>no_log</options>
<description>Shellshock attack detected</description>
</rule>
<match>10.20.30.40</match>
<options>no_email_alert</options>
<options>no_log</options>
<description>Shellshock attack detected</description>
</rule>
<rule id="31108" level="15" overwrite="yes">
<match> 20.30.40.50 </match>
<options>no_email_alert</options>
<options>no_log</options>
<description>Shellshock attack detected</description>
</rule>
Sample output from Teams
Shellshock attack detected
Agent
(009) - server01
Location/var/log/nginx/access.log
Rule ID31168 (Level 15)
Log10.20.30.40 - - [13/Jul/2022:01:01:15 -0700] "GET /cgi-bin/clwarn.cgi HTTP/1.1" 200 778 "-" "() { ignored; }; echo Content-Type: text/plain ; echo ; echo \x22bash_cve_2014_6271_rce Output : $((8+30))\x22" "-"
Thanks,
A.Sekhar
Matias Pereyra
Jul 14, 2022, 9:01:42 AM7/14/22
to Wazuh mailing list
Hello again!
Now I completely understand the situation.
I suggest you create a new child custom rule instead of overwriting the original ones.
Now I completely understand the situation.
I suggest you create a new child custom rule instead of overwriting the original ones.
We'll add both IPs with the srcip tag, and the ignore option is specifically meant to avoid flooding (see rule). I've added this rule in etc/rules/local_rules.xml :
<rule id="100002" level="15" ignore="60">
<if_sid>31168, 31169</if_sid>
<srcip>10.20.30.40</srcip>
<srcip>20.30.40.50</srcip>
<options>no_email_alert</options>
<description>Shellshock test detected</description>
</rule>
<if_sid>31168, 31169</if_sid>
<srcip>10.20.30.40</srcip>
<srcip>20.30.40.50</srcip>
<options>no_email_alert</options>
<description>Shellshock test detected</description>
</rule>
With this configuration, the email won't be sent and the alert is generated only once per minute (60 seconds).
Regards.
sekhar reddy
Jul 14, 2022, 11:32:34 AM7/14/22
to Wazuh mailing list
Thank you again, Matis. I'll update the rule. Is there a way we can configure the rule to filter on a particular agent instead of filtering on source IPs since source IPs work now, but the test machine IP is not static, so it may change over time?
Would it be possible to apply a custom rule only to a specific agent?
Regards,
A.SEkhar
Matias Pereyra
Jul 15, 2022, 9:19:25 AM7/15/22
to Wazuh mailing list
Hi.
If you want to configure the rule for a particular agent and not for a srcip, you can use the location tag.
Also, let me modify the rule I shared above because it won't work as expected. You'll still get flooded because the original rule will still match, sorry for any inconveniences.
This should be the final version
<description>Shellshock test detected</description>
</rule>
When you use level="0", the event is ignored. So now you won't receive any alert of this type from this agent.
If you want to configure the rule for a particular agent and not for a srcip, you can use the location tag.
Also, let me modify the rule I shared above because it won't work as expected. You'll still get flooded because the original rule will still match, sorry for any inconveniences.
This should be the final version
<rule id="100002" level="0">
<if_sid>31168, 31169</if_sid>
<location>agent1</location>
<if_sid>31168, 31169</if_sid>
<location>agent1</location>
<description>Shellshock test detected</description>
</rule>
When you use level="0", the event is ignored. So now you won't receive any alert of this type from this agent.
Regards.
sekhar reddy
Jul 18, 2022, 2:44:00 PM7/18/22
to Matias Pereyra, Wazuh mailing list
Hi Matias,
The above rule worked when used ignored=60, In this case, it will mute for 60sec and then generate alerts if shellshock gets detected?
I have a few more questions.
-> Suppose I have 30 agents (all running Linux) With the same vulnerability, we would receive 30 alerts. Is there a way to send a single alert for all agents with the same vulnerability?
The same vulnerability alert was being sent to the same agent multiple times at the same time. Could there be a global configuration to send a single alert rather than multiple alerts for an agent?
CVE-2015-20107 affects libpython3.6-minimal
Agent
(036) - system1
Location
vulnerability-detector
Rule ID
23506 (Level 13)
Log
CVE-2015-20107 affects libpython3.6-stdlib
Agent
(036) - system1
Location
vulnerability-detector
Rule ID
23506 (Level 13)
Log
CVE-2015-20107 affects python3.6
Agent
(036) - system1
Location
vulnerability-detector
Rule ID
23506 (Level 13)
Log
CVE-2015-20107 affects python3.6-minimal
Agent
(036) - system1
Location
vulnerability-detector
Rule ID
23506 (Level 13)
Log
CVE-2015-20107 affects python3.6-minimal
| Agent | (036) - system1 |
| Location | vulnerability-detector |
| Rule ID | 23506 (Level 13) |
| Log |
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7de1c5ab-413e-4ce0-a72c-8ad6dca6f437n%40googlegroups.com.
Matias Pereyra
Jul 25, 2022, 9:22:15 AM7/25/22
to Wazuh mailing list
Hello again!
Sorry for the delay, I was out of the office.
I corrected the alert because I noted that using the ignore tag would only trigger the custom rule once per minute, but the parent rule will trigger anyway so it wasn't the desired behavior.
On the other hand, if you have a new question about another topic please open a new thread, this helps us to maintain the community channels organized. In that new thread, please include the logs of the alerts you are receiving, because the vulnerability detector should generate one alert per vulnerability (CVE-package tuple) per agent per scan only. Now, if you have the same alert but with a different agent ID, these alerts can't be centralized.
Also, what Wazuh version do you have in the manager? Because the recent vulnerabilities inventory released in 4.3.0 avoids duplicate alerts after every scan and only reports the changes.
Regards.
Sorry for the delay, I was out of the office.
I corrected the alert because I noted that using the ignore tag would only trigger the custom rule once per minute, but the parent rule will trigger anyway so it wasn't the desired behavior.
On the other hand, if you have a new question about another topic please open a new thread, this helps us to maintain the community channels organized. In that new thread, please include the logs of the alerts you are receiving, because the vulnerability detector should generate one alert per vulnerability (CVE-package tuple) per agent per scan only. Now, if you have the same alert but with a different agent ID, these alerts can't be centralized.
Also, what Wazuh version do you have in the manager? Because the recent vulnerabilities inventory released in 4.3.0 avoids duplicate alerts after every scan and only reports the changes.
Regards.
sekhar reddy
Jul 26, 2022, 1:28:30 PM7/26/22
to Matias Pereyra, Wazuh mailing list
Hi Matias,
I am sorry to bother you again, but the rule you provided isn't working in the local_rules.xml file. I noticed 70+ alerts were triggering earlier in the day. Could you please let me know if the rule below needs to be updated?
Firstly, I don't understand why the Wazuh manager is sending similar alerts to the same agent so many times?
<rule id="100002" level="15" ignore="90">
<if_sid>31168, 31169</if_sid>
<srcip>23.10.15.246</srcip>
<srcip>22.10.15.246</srcip>
<srcip>22.10.15.245</srcip>
<srcip>22.10.15.241</srcip>
<srcip>22.10.15.242</srcip>
<srcip>22.10.15.243</srcip>
<srcip>22.10.15.244</srcip>
<if_sid>31168, 31169</if_sid>
<srcip>23.10.15.246</srcip>
<srcip>22.10.15.246</srcip>
<srcip>22.10.15.245</srcip>
<srcip>22.10.15.241</srcip>
<srcip>22.10.15.242</srcip>
<srcip>22.10.15.243</srcip>
<srcip>22.10.15.244</srcip>
<options>no_email_alert</options>
<description>Shellshock test detected</description>
</rule>
Thanks & Regards,
A.Sekhar
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/39773b79-0214-4494-ac32-2d44dc53f953n%40googlegroups.com.
Matias Pereyra
Jul 27, 2022, 8:21:29 AM7/27/22
to Wazuh mailing list
Hi again !
No problem at all, we are here to help.
Remember that I made a correction, if you use the child rule with the ignore tag, you'll still get the alerts from the parent rule.
But if you set the level of the alert to 0, then all the events will be ignored
<options>no_email_alert</options>
<description>Shellshock test detected</description>
</rule>
No problem at all, we are here to help.
Remember that I made a correction, if you use the child rule with the ignore tag, you'll still get the alerts from the parent rule.
But if you set the level of the alert to 0, then all the events will be ignored
<rule id="100002" level="0">
<if_sid>31168, 31169</if_sid>
<if_sid>31168, 31169</if_sid>
<srcip>23.10.15.246</srcip>
<srcip>22.10.15.246</srcip>
<srcip>22.10.15.245</srcip>
<srcip>22.10.15.241</srcip>
<srcip>22.10.15.242</srcip>
<srcip>22.10.15.243</srcip>
<srcip>22.10.15.244</srcip>
<srcip>22.10.15.246</srcip>
<srcip>22.10.15.245</srcip>
<srcip>22.10.15.241</srcip>
<srcip>22.10.15.242</srcip>
<srcip>22.10.15.243</srcip>
<srcip>22.10.15.244</srcip>
<options>no_email_alert</options>
<description>Shellshock test detected</description>
</rule>
Let me know if this works.
Regards.
Regards.
Reply all
Reply to author
Forward
0 new messages